The Difference between Compliance and Patriotism
TheJournal.ie has an interesting story today about where the various Irish Political Parties have their websites hosted. It’s an interesting story, but I must profess the view that the article confuses the issues of complying with Data Protection legislation and being patriotic and “buying Irish”.
The Data Protection Acts do not require that organisations processing personal data “buy Irish”. They do provide clear guidance and duties to ensure that where personal data that is moving across borders is doing so in a safe and secure manner.
The article on TheJournal.ie makes much of the fact that the Green Party’s website is hosted in the UK by the UK subsidiary of a a Norwegian company. The implication being that this is a bad thing. It’s not, so long as the Green Party have taken the other steps necessary to ensure compliance with the relevant legislation.
Likewise, much is made of the fact that the Labour Party website is hosted in the UK. Again, this is not an issue, assuming that the Labour Party has ticked the rest of the boxes necessary for proactive Data Protection compliance.
The Country Issue
The simple fact is that there is no impediment to the transfer of personal data within the 27 Member States of the European Union, because we all have equivalent legislation that is based on the same foundation Directive, 95/46/EC.
So… given that the UK has their Data Protection Act 1998, which is governed by the Information Commissioner’s Office (which has issued this guidance to politicians), personal data can be transferred there without worry. In fact, given the recent raising of penalties for breaches of the Data Protection rules in the UK to stg£500,000, there is a big incentive for organisations to be in compliance with the law.
With regard to the UK subsidiary of a Norwegian company providing hosting services in the UK… that is a complex tangle which might look fishy but is actually perfectly legitimate for two simple reasons.
- The actual legal entity which is providing the hosting services appears to be a company incorporated in the United Kingdom, therefore the activities of that company will be governed by UK Data Protection Act 1998, which enacts 95/46/EC in the UK.
- Even if the hosting was being performed in Norway, this would actually be perfectly legal as Norway is one of the 3 non EU members of the European Economic Area. Membership of this “club” requires that Norway have enacted legislation that meets the requirements of Directive 95/46/EC.
The Fairness and Transparency Question
Of course, just because the transfer of personal data to hosts in the UK or elsewhere in the EU and the EEA is legal doesn’t mean it is transparent. The “Privacy Statement”,which is a legal requirement for websites which are processing personal data, would address this because it gives an opportunity for the Data Controller (the “owner” of the site) to communicate where data is being processed and why and what controls and governance are in place. The guideline is to include a level of information necessary to make the obtaining and processing of the personal data fair.